Headline buries the real lede a bit in my opinion; the author has gotten a snapshot of the no-fly list from 2019. Presumably the system under attack processes more up-to-date versions of it regularly.<p>Corresponding news story: <a href="https://www.dailydot.com/debug/no-fly-list-us-tsa-unprotected-server-commuteair/" rel="nofollow">https://www.dailydot.com/debug/no-fly-list-us-tsa-unprotecte...</a>
As a software engineer even I sometimes can't help romanticising hacking in my imagination. But so many times it turns out to be just like some company left the front gate wide open and the "hacker" walked in and took a look around.<p>Eg when an airline had a public API where you could get someone's passport number and details just from their boarding pass <a href="https://mango.pdf.zone/finding-former-australian-prime-minister-tony-abbotts-passport-number-on-instagram" rel="nofollow">https://mango.pdf.zone/finding-former-australian-prime-minis...</a>
Interesting hack, but this seems quite the brazen confession to a fair number of computer crimes. If I were the author, I'd be worried about getting arrested and potentially extradited for this. Especially as he deliberately downloaded a load of confidential information after gaining access, and then shared it around. He'd be looking at years in prison for this, in the US.
I had always assumed that the “no fly” list was a phrase and that it didn’t refer to an actual list, but rather a database with more detailed information than a “can they fly?” Column with a Y/N entry. In pharmacy we have a database we have to access when we suspect there is abuse, fraud, or diversion of controlled substances. The database is regularly updated with current information about prescriptions that were dispensed including location, prescribing physician, etc. I had always assumed the “no fly” list would be something similar. Now that I think about it though, that wouldn’t be efficient or useful at all. It would make sense for it to be much more simple.
For those unaware, maia is a pretty prolific hacktivist, and it has been indicted by a grand jury for a variety of USA govt penetrations but has USA proceedings on hold until it's extradited, which it's confident won't happen.<p><a href="https://en.wikipedia.org/wiki/Maia_arson_crimew" rel="nofollow">https://en.wikipedia.org/wiki/Maia_arson_crimew</a>
This is clearly on the darker side of gray-hat. Hate to be preachy but anyone seeking to emulate this sort of attack-finding should consider their ethical obligations as a computer scientist and follow best practices for responsible disclosure. It appears this was completely ignored here, including sharing stolen sensitive data of <i>normal people</i> with whoever can plead a case.
While VPN's shouldn't be the only device, it seems like that should be part of any competent security posture. E.g. Jenkins should only be accessible from known VPN endpoint IP addresses.<p>Administrative IAM's should be IP restricted as well: <a href="https://aws.amazon.com/premiumsupport/knowledge-center/iam-restrict-calls-ip-addresses/" rel="nofollow">https://aws.amazon.com/premiumsupport/knowledge-center/iam-r...</a>
From the accompanying (and linked) <i>Daily Dot</i> article[1]:<p>> On the list were several notable figures, including the recently freed Russian arms dealer Viktor Bout, alongside over 16 potential aliases for him.<p>> [...]<p>> Numerous names included aliases that were common misspellings or slightly altered versions of their names.<p>For non-natively-Latin names, the US government is thorough to the point of hilarity in including every possible romanization and misspelling of one, and they list full names not their individual parts so combinatorics ahoy, as well. For example, if you know a bit of any Slavic language written in Cyrillic, browse the Russian sanction lists, it’s going to give you a chuckle.<p>In all seriousness, this actually makes perfect sense given the prospective consumers of the lists may not have any clue about the languages the targeted people speak. It’s just that the article makes 16 aliases sound vaguely sinister, whereas if you’re a Russian—or, for that matter, a Ukrainian or a Belarusian—that’s just a reasonably low estimate for how many romanizations of your name people may think up. (Not that Bout isn’t sinister as hell.)<p>[1] <a href="https://www.dailydot.com/debug/no-fly-list-us-tsa-unprotected-server-commuteair/" rel="nofollow">https://www.dailydot.com/debug/no-fly-list-us-tsa-unprotecte...</a>
TIL <a href="https://en.wikipedia.org/wiki/Maia_arson_crimew" rel="nofollow">https://en.wikipedia.org/wiki/Maia_arson_crimew</a><p>> In March 2021, crimew was indicted by a grand jury in the United States on criminal charges related to her alleged hacking activity between 2019 and 2021. The charges were unrelated to the hack of Verkada. Her home and her parents' home were raided by the Swiss police at the request of United States authorities, and her electronic devices were seized. People used the hashtag "#freetillie" to express support for her in the aftermath of the raid, and the Swiss magazine Republik compared her to Jeremy Hammond and Aaron Swartz.
Apropos of nothing, I also just really appreciate crimew.gay's aesthetic.<p>This website is what me from 1993 thought a hacker's website would look like. A nod of respect to them for kickin' it old-school.
Cached version from the internet archive: <a href="http://web.archive.org/web/20230119220130/https://maia.crimew.gay/posts/how-to-hack-an-airline/" rel="nofollow">http://web.archive.org/web/20230119220130/https://maia.crime...</a>
> with pretty much no skill required<p>Seriously? I know like none of the tools or terms they used, like wtf is shodan?<p>In general the author doesn't seem to follow the white hat guidelines, and I'd be worried what they've done is quite illegal (possibly on a federal level if the nofly list is so secret)
Oh it must be nice to be able to do things like this, while only keeping an eye out for the laws of your own country, safe in the knowledge that your government won't extradite you for breaking the laws of another country.
The headline made me think this was about a scheme where you register as an airline, just to get access to the list. I mean, how many planes do you need to own to be an airline?
<i>assuming i was willing to ever interact with a SOAP api in my life which i sure as hell am not</i><p>^^^ this killed me. i'm sure everyone who has ever interacted with a SOAP api feels the same. god bless this tiny kitten/person/hacktivist, the world needs more of this energy.
<a href="https://www.egattorneys.com/federal-computer-hacking" rel="nofollow">https://www.egattorneys.com/federal-computer-hacking</a><p>See in particular the broad definition of “protected computer.”
This is gonna be random but I love people just shamelessly being themselves on the Internet. This person is literally a kitty cat playing around and I find that adorable~<p>Oh, also secure your Jenkins servers.
The TSA no fly list is a blatant violation of the Constitution: for the government to be able to remove a right, you must be convicted at trial.<p>The fact it still exists at all is incredible, but a disturbing precedent.
This would be a good candidate for a k-anonymous API where you can query if a specified full name, DoB, etc., is in the list without divulging the list or the request.
Surprised to see this guy wasn't already in prison due to his previous antics, and it's too bad he didn't responsibly report this issue through the proper channels. Everyone's luck is bound to run out at some point.
I'm not confident that is it safe to link to the site operated by such hacktivist. I prefer to see link for news article on HN headline, rather than criminal hacker's website itself, but I don't know rules.
> Suspected members of the IRA, the Irish paramilitary organization, were also on the list.<p>Oof the international politics always come out in things like this. Twitter also publicizes all of its suspensions and bans. There's a Wikipedia article with a list of all the notable suspensions since 2010. It's interesting to see that, contrary to popular narratives, many of the international groups banned were actually far-left aligned.<p>The list gets really boring the more you scroll down however. The last notable ban was Paul Graham for simply sharing their Mastodon handle. A boring dystopia indeed<p><a href="https://en.wikipedia.org/wiki/Twitter_suspensions" rel="nofollow">https://en.wikipedia.org/wiki/Twitter_suspensions</a>
After seeing the title but before clicking on the article, I thought this would be about a legal hack rather than a security hole. More specifically, creating the minimum possible corporation that qualifies as an airline (so that you literally <i>own</i> an airline), and then saying to the government, "hey, we need the nofly list, we're an airline, see?". The actual hack sounds way easier, to be sure, but I still like my version the best.
Relatively off-topic, but I absolutely love the 90s/early 2000s vibes I get from this. I can't remember the last time I saw a webring, much less one with animated logos.
For reference, it/she [1] previously was named Tillie Kottman [2] and was indicted by the US in 2021 [3].<p>[1] <a href="https://maia.crimew.gay/" rel="nofollow">https://maia.crimew.gay/</a><p>[2] <a href="https://en.wikipedia.org/wiki/Maia_arson_crimew" rel="nofollow">https://en.wikipedia.org/wiki/Maia_arson_crimew</a><p>[3] <a href="https://www.justice.gov/usao-wdwa/pr/swiss-hacker-indicted-conspiracy-wire-fraud-and-aggravated-identity-theft" rel="nofollow">https://www.justice.gov/usao-wdwa/pr/swiss-hacker-indicted-c...</a>
This guy is a (hobbyist?) security researcher who responsibly alerts companies of vulnerabilities.<p>However are his actions of downloading the no fly list and offering to share with journalists legal? Or does that cross into overreach and criminal activity?